The Laws That Govern Your Plan, Explained
Here's the part nobody puts in the proposal: you're the plan sponsor. The filings, the notices, the fiduciary duties. They're yours, not your broker's. This page covers what each law demands, when it's due, and what the 2026 numbers are. Verified, with sources.
The Framework
Five laws do most of the governing.
ERISA: the foundation
The 1974 law that makes employer benefit plans federal territory. It demands plan documents and an SPD, annual Form 5500 filings for larger plans, fair claims procedures, and fiduciary conduct: act solely in participants' interest, with expert prudence, paying only reasonable costs. For self-funded plans, ERISA preemption pushes most state insurance mandates aside. And no, there's no small-company exemption from the core duties.
The ACA: offers, affordability, and paperwork
For employers, the ACA means the employer mandate and its reporting trail. At 50+ full-time equivalents you're an ALE: offer minimum essential coverage to 95% of full-time employees, make it affordable (9.96% in 2026) and minimum value, then prove it all on Forms 1094-C and 1095-C. The ACA also brings the SBC, the PCORI fee, W-2 cost reporting, and the out-of-pocket caps in the numbers table below. IRS Letter 226-J enforcement runs on your own filings, sometimes years later.
COBRA: the exit coverage
At 20+ employees, departing workers and their families can continue coverage: 18 months for terminations and hour reductions, up to 36 for events like divorce or death, at up to 102% of full cost. The legal risk isn't the coverage. It's the notices: the general notice, the election notice, and their deadlines. Defective-notice lawsuits are a plaintiff cottage industry. Outsource the administration, then audit it anyway. The liability stays yours.
HIPAA: privacy plus portability
Two jobs. First, special enrollment rights: 30-day windows after life events, 60 days for Medicaid and CHIP changes. Second, privacy and security for plan health data: business associate agreements, safeguards, breach notification. The riskiest PHI in most companies isn't in a system. It's in HR's inbox. Decide what the plan touches and build the wall there.
The CAA: the transparency era
The Consolidated Appropriations Act of 2021 rewired sponsor accountability. It banned gag clauses and makes you attest to that annually. It created RxDC drug reporting. It forces broker compensation disclosure at $1,000+. It requires a written mental health parity NQTL analysis the DOL actually requests. And it built the No Surprises Act. The through-line: the government now assumes you can see your data and police your vendors. Courts grade you on that assumption.
Stop tracking this by hand
72 requirements. One calendar. Filtered to your plan.
The Compliance Calendar personalizes all 72 federal requirements to your group size, funding type, and plan year, then emails you status reports before deadlines hit. Built from the same research as this page.
Build my compliance calendar →The Year at a Glance
Deadlines for a calendar-year plan.
Dates below assume a January 1 plan year. Non-calendar plans shift the plan-year-based items. Every row links to the full requirement: citation, penalty, and who's responsible.
Box 12, code DD. Required if you filed 250+ W-2s the prior year.
Online filing within 60 days of plan year start. Calendar-year plans: by March 1.
Or post the alternative notice on your site by this date and keep it up through Oct 15, then furnish within 30 days of any request.
Electronic filing is mandatory for nearly all employers now.
Covers the prior calendar year. Your PBM and TPA usually submit, but the obligation is yours. Confirm in writing.
Welfare plans with 100+ participants. Extension moves it to Oct 15.
$3.84 per covered life this cycle. Self-funded and level-funded plans pay directly; insurers pay for fully-insured plans.
Nine months after plan year end, or Dec 15 if your 5500 was extended.
To all Medicare-eligible individuals before the Oct 15 annual enrollment window opens.
Annual attestation to CMS that your TPA and PBM contracts don’t block your access to cost and claims data.
SBC, CHIP notice, WHCRA, special enrollment rights, Medicare Part D, and more. Most employers batch these with open enrollment materials.
COBRA election (after qualifying events), SMM (after plan changes), HIPAA special enrollment, QMCSO responses. Calendar software won’t save you here. Process will.
This is the headline set, not the whole list. The Compliance Calendar tracks all 72 federal requirements and filters them to what applies to your plan.
Verified Figures
The 2026 numbers, with receipts.
Each figure links to its source. If a vendor quotes you different numbers, one of you is reading an old PDF.
$4,400 / $8,750
HSA contribution limit
Self-only / family, for 2026. Age 55+ can add a $1,000 catch-up contribution.
$1,700 / $3,400
HDHP minimum deductible
Self-only / family. A plan below these deductibles is not HSA-qualified in 2026.
$8,500 / $17,000
HDHP out-of-pocket maximum
Self-only / family. The IRS cap for HSA-qualified plans, lower than the general ACA cap.
$10,600 / $21,200
ACA out-of-pocket maximum
Self-only / family, non-grandfathered plans. HHS revised this upward mid-2025. The originally announced $10,150 / $20,300 no longer applies.
$3,400
Health FSA limit
Employee salary-reduction cap for 2026 plan years. Carryover max is $680.
9.96%
ACA affordability threshold
Employee-only contribution for your cheapest minimum-value plan can't exceed 9.96% of income in 2026. FPL safe harbor: $129.89/month for calendar-year plans.
$3,340
4980H(a) penalty
Per full-time employee (minus the first 30), per year, if you don't offer coverage to 95% of full-time staff and one employee gets subsidized Marketplace coverage.
$5,010
4980H(b) penalty
Per year, for each full-time employee whose coverage was unaffordable or not minimum value and who got a Marketplace subsidy.
$3.84
PCORI fee
Per covered life, plan years ending Oct 2025 through Sep 2026. Self-funded employers file Form 720 by July 31.
$9,325 / $26,993
Average annual premium
Single / family employer coverage in 2025. Workers paid $1,440 and $6,850 of that. Family premiums rose 6% in one year.
~80%
Big-three PBM market share
CVS Caremark, Express Scripts, and Optum Rx processed nearly 80% of the 6.6 billion U.S. prescriptions in 2023. The top six processed over 90%.
$150 / $300
DPC + HSA monthly fee cap
New for 2026: a direct primary care membership up to $150/month (individual) or $300 (more than one person) no longer blocks HSA eligibility, and the fee is a qualified medical expense.
Quick Answers
The questions everyone asks.
Who is legally responsible for health plan compliance, the employer or the broker?
The employer. Under ERISA, the plan sponsor and plan administrator (almost always the employer) carry the legal duties: filings, notices, fiduciary conduct. Brokers, TPAs, and carriers help execute, but penalties and DOL letters go to you. No service agreement changes that.
What are the major compliance deadlines for a calendar-year health plan?
The big recurring ones: 1095-C furnishing by March 2 (or the posted-notice alternative), IRS e-filing by March 31, RxDC reporting by June 1, Form 5500 and the PCORI fee by July 31, the SAR by September 30, Medicare Part D notices before October 15, and the gag clause attestation by December 31. Notice bundles ride along with open enrollment.
Does ERISA apply to small employers?
Yes. ERISA covers employer health plans of every size; there is no small-employer exemption from the documentation and fiduciary rules. The Form 5500 filing has an exemption for fully-insured or unfunded plans under 100 participants, but the SPD requirement and fiduciary duties apply to everyone.
What is the gag clause attestation?
A CAA requirement. Plans must attest to CMS by December 31 each year that their contracts contain no clauses blocking access to provider cost or quality data, or to their own claims data. If your TPA refuses to hand over claims data, your attestation and their contract are in direct conflict. Useful tension. Use it.
What is RxDC reporting?
The CAA’s annual prescription drug data collection, due to CMS by June 1 for the prior calendar year. PBMs and TPAs typically file most sections on your behalf, but the legal obligation belongs to the plan. Get written confirmation of filing every year.
What happens if you miss a Form 5500 filing?
DOL penalties accrue per day with no statutory cap, and they find missing filings easily. The Delinquent Filer Voluntary Compliance Program (DFVCP) caps the damage at a fixed amount if you self-correct before the DOL contacts you. If you discover a missed filing, move first.
Put it to work
Reading is step one. These do the math on your plan.